diff --git a/tf/actions/samlMappings.js b/tf/actions/samlMappings.js
index 6316c97..7ea3bea 100644
--- a/tf/actions/samlMappings.js
+++ b/tf/actions/samlMappings.js
@@ -13,9 +13,11 @@ exports.onExecutePostLogin = async (event, api) => {
         'team_mzai',
         'team_mzvc'
         ];
-      const userGroups = event.user.metadata?.groups || [];
+      const userGroups = event.user.app_metadata?.groups || [];
       const selectGroups = tineGroups.filter(group => userGroups.includes(group));
-      api.samlResponse.setAttribute("groups", selectGroups);
+      api.samlResponse.setAttribute("http://sso.mozilla.com/claim/groups", selectGroups);
+      // DELETE the standard group claim
+      api.samlResponse.setAttribute("http://schemas.xmlsoap.org/claims/Group", null);
       break;
 
     case "wgh8S9GaE7sJ4i0QrAzeMxFXgWZYtB0l": // sage-intacct
diff --git a/tf/tests/samlMappings.test.js b/tf/tests/samlMappings.test.js
index 738907a..571112a 100644
--- a/tf/tests/samlMappings.test.js
+++ b/tf/tests/samlMappings.test.js
@@ -118,8 +118,8 @@ describe('Tines SAML tests', () => {
   test.each(clientIDs)('Ensure SAML configuration mappings for client %s', async (clientID) => {
     _event.client.client_id = clientID;
 
-    _event.user.metadata = {};
-    _event.user.metadata.groups = [
+    _event.user.app_metadata = {};
+    _event.user.app_metadata.groups = [
       'mozilliansorg_sec_tines-admin',
       'foo',
       'mozilliansorg_sec_tines-access',
@@ -132,7 +132,7 @@ describe('Tines SAML tests', () => {
     ];
 
     expectedSamlAttributes = {
-      "groups": [
+      "http://sso.mozilla.com/claim/groups": [
         'mozilliansorg_sec_tines-admin',
         'mozilliansorg_sec_tines-access',
         'team_moco',
@@ -140,7 +140,9 @@ describe('Tines SAML tests', () => {
         'team_mzla',
         'team_mzai',
         'team_mzvc'
-    ]};
+      ],
+      "http://schemas.xmlsoap.org/claims/Group": null
+    };
 
     // Execute onExecutePostLogin
     await onExecutePostLogin(_event, api);